I believe people playing over WIFI could be in that situation (honeypot WIFI hotspots). But what would be the point anyway? There's no micro-payment, there's no precious account credentials... Being MITM'd in the context of Minetest would almost be an honor: you have skilled enemies.rubenwardy wrote:The communication should be encrypted as it avoids MITM attacks, but in real terms it's not going to be that big of an issue as Minetest isn't that common and becoming a MITM is hard without being on the same network.
MT Server-Client Communication encrypted ?
Re: MT Server-Client Communication encrypted ?
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
You have the permissions of the user account running Minetest. You could then sneak in a server-sent client-side mod farming your favorite crypto currency in the RAM of the user (pretty much limited because of LuaJIT’s memory limit but still a possible attack vector). Then have the mod send the result back to the server but grab the packets and redirect the result to your machine. Multiply by Minetest players worldwide.Astrobe wrote:But what would be the point anyway?
Or try to break out of the sandbox (the used LuaJIT version is several years old) and run arbitrary code in user context.
Re: MT Server-Client Communication encrypted ?
There is people who take risks for nothing.Astrobe wrote: Of course nobody would take risks for nothing. If you refuse to go beyond this argument level, there's no point in talking.
This is why women live longer than men.
Astrobe wrote: Please someone at least attack my argument on the overhead encryption introduces.
Done.CryptoPP::AES::Encryption aesEncryption(key, CryptoPP::AES::DEFAULT_KEYLENGTH);
CryptoPP::CBC_Mode_ExternalCipher::Encryption cbcEncryption( aesEncryption, iv );
CryptoPP::StreamTransformationFilter stfEncryptor(cbcEncryption, new CryptoPP::StringSink( ciphertext ) );
stfEncryptor.Put( reinterpret_cast<const unsigned char*>( plaintext.c_str() ), plaintext.length() + 1 );
stfEncryptor.MessageEnd();
Also, this one is one of the more complicated examples.
A man much wiser than me once said: "go away, you are bothering me"
-
- Moderator
- Posts: 4095
- Joined: Wed Aug 24, 2011 09:44
- GitHub: sfan5
- IRC: sfan5
- Location: Germany
Re: MT Server-Client Communication encrypted ?
Reminder that encryption without authentication is useless.
If you don't add something like TLS certificates, MITM is still equally possible.
Besides, Astrobe was talking about the size overhead of encryption, not its implementation.
If you don't add something like TLS certificates, MITM is still equally possible.
source?Linuxdirk wrote:the used LuaJIT version is several years old
AES-CBC, no MAC (or AEAD). Congratulations, you fail.Vapalus wrote:Done.CryptoPP::AES::Encryption aesEncryption(key, CryptoPP::AES::DEFAULT_KEYLENGTH);
CryptoPP::CBC_Mode_ExternalCipher::Encryption cbcEncryption( aesEncryption, iv );
CryptoPP::StreamTransformationFilter stfEncryptor(cbcEncryption, new CryptoPP::StringSink( ciphertext ) );
stfEncryptor.Put( reinterpret_cast<const unsigned char*>( plaintext.c_str() ), plaintext.length() + 1 );
stfEncryptor.MessageEnd();
Also, this one is one of the more complicated examples.
Besides, Astrobe was talking about the size overhead of encryption, not its implementation.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
“we are using latest 5.1.4 which is 4 years old” - nerzul on Github.sfan5 wrote:source?Linuxdirk wrote:the used LuaJIT version is several years old
https://github.com/minetest/minetest/is ... -359457813
-
- Moderator
- Posts: 4095
- Joined: Wed Aug 24, 2011 09:44
- GitHub: sfan5
- IRC: sfan5
- Location: Germany
Re: MT Server-Client Communication encrypted ?
This is the version of the imported Lua codebase we have in Minetest, not LuaJIT.Linuxdirk wrote:sfan5 wrote:“we are using latest 5.1.4 which is 4 years old” - nerzul on Github.
https://github.com/minetest/minetest/is ... -359457813
Most builds, including the official Windows ones, use LuaJIT 2.1.0-beta3 which was released in May last year.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Mmmh, okay ... Then the used Lua version is several years old. That changes the attack vector but does not close it.
Who is online
Users browsing this forum: No registered users and 24 guests